CVE-2020-10216

Name of the Vulnerable Software and Affected Versions D-Link DIR-825 version 2.10 TRENDnet TEW-632BRP version 1.010B32

Description An issue exists that allows remote attackers to execute arbitrary commands via the date parameter in a "system time.cgi" POST request. The vulnerability is due to the lack of neutralization of special elements used in the operating system command. This can allow a remote attacker to execute arbitrary commands.

Recommendations For D-Link DIR-825 version 2.10, consider disabling the system time.cgi component until a patch is available. For TRENDnet TEW-632BRP version 1.010B32, restrict access to the system time.cgi endpoint to minimize the risk of exploitation. Avoid using the date parameter in the affected "system time.cgi" API endpoint until the issue is resolved.